Re: public schema default ACL
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Cc: Noah Misch <noah@leadboat.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, Magnus Hagander <magnus@hagander.net>, "David G. Johnston" <david.g.johnston@gmail.com>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Date: 2020-11-02T15:39:10Z
Lists: pgsql-hackers
Greetings, * Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote: > On 2020-10-31 17:35, Noah Misch wrote: > >Overall, that's 3.2 votes for (b)(3)(X) and 0.0 to 1.0 votes for changing > >nothing. That suffices to proceed with (b)(3)(X). However, given the few > >votes and the conspicuous non-responses, work in this area has a high risk of > >failure. Hence, I will place it at a low-priority position in my queue. > > My vote would also be (b)(3)(X). Allowing the database owner to manage the > public schema within their database makes a lot of sense, independent of any > overarching goals. Agreed. > I'm not convinced, however, that this would would really move the needle in > terms of the general security-uneasiness about the public schema and search > paths. AFAICT, in any of your proposals, the default would still be to have > the public schema world-writable and in the path. Looks like the proposal wasn't explicitly clear on this point and I, at least, took the proposal to implicitly also be saying that the public schema's ACL would be the default- meaning that the owner would be able to create objects in the schema and to use it, but other users wouldn't be able to (or, perhaps, that USAGE rights would be GRANT'd to public, but not CREATE). Seems we probably need another round of votes where it's made very clear what the default ACL (not from a dump/reload) on the public schema would be. Thanks, Stephen
Commits
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 landed
-
Document security implications of search_path and the public schema.
- 5770172cb0c9 11.0 cited